Internship Report on thermal power station in vizag steel plant
Improved Gas Plant Safeguarding System Internship Final Report · internship program, based in the...
Transcript of Improved Gas Plant Safeguarding System Internship Final Report · internship program, based in the...
Murdoch University 2013
1
Improved Gas Plant Safeguarding System
Internship Final Report
Daniel Murphy
A report submitted to the School of Engineering and Energy, Murdoch University in partial fulfilment of the requirements for the degree of Bachelor of Engineering
I&E Systems Pty Ltd
Murdoch University 2013
2
ABSTRACT
Murdoch University and I&E Systems gave Daniel Murphy the opportunity to complete a 16 week internship program, based in the Perth CBD, working on a major Australian gas plant safeguarding system project. The internship offered the opportunity to participate in a number of tasks, assisting a team of senior control system engineers to complete a long list of project deliverables. This report details the tasks that were completed while working on the safety system project at I&E Systems, and includes the following:
Honeywell distributed control system point’s configuration using Microsoft Access databases and Honeywell Native Windows software.
Honeywell human machine interface graphics building and configuration using Honeywell Graphical User Station software.
Factory acceptance testing of the Honeywell distributed control system and Tricon instrument protective system, using simulated inputs and outputs, Tristation software, and the aforementioned software.
This provided the opportunity to develop both personally and professionally, and proved an invaluable experience forging the path towards a control systems engineering career in the resources industry. The project’s client, the process plant location, and the plants owners and operators could not be disclosed in this report for reasons of safety and intellectual property.
Murdoch University 2013
3
DISCLAIMER
All of the work discussed in this report is the work of the author unless otherwise referenced. I declare the following to be my own work, unless otherwise referenced, as defined by Murdoch University’s policy on plagiarism. …………………………………………………… Daniel Murphy December 2013
Murdoch University 2013
4
ACKNOWLEDGEMENTS
I would like to thank I&E Systems PTY LTD for the opportunity to undertake a control systems engineering internship, a chance to apply and build upon the skills and theories which I have learnt during the course of my studies. All of the staff were extremely friendly, helpful and made me feel welcome. Everyone always had the time to kindly explain new concepts such as functional safety and control system redundancy, and really made me feel at home. I would like to thank my project supervisors at I&E Systems, Chrissie Mavrofridis and Lionel Dias, whose assistance and guidance allowed me to contribute towards project deliverables and solve the many challenges that I faced while progressing through project tasks. Your time was greatly appreciated! I would also like to thank the Engineering Manager at I&E Systems, Mirek Generowicz, and the Project Manager, Kevin North, for giving me this tremendous opportunity to cut my teeth in the industry that I have been dreaming about since I began my studies. I would like to acknowledge my supervisor at Murdoch University, Dr Gareth Lee, who put in a huge effort to facilitate the internship and provide assistance with planning and progress throughout the course of the project. I didn’t think I could write 15,000 words in a few months but your advice and encouragement allowed me to achieve things beyond my expectations. I would also like to acknowledge all of the academic staff at Murdoch University, particularly Professor Parisa Bahri, and Associate Professor Graeme Cole, who played a significant role in my academic career which led to my professional successes. Finally, I would like to thank my friends and family, in particular my parents for a lifetime of love and support. I am lucky to have such amazing parents who always have my back and have taught me that in life anything is achievable if you work hard and have your priorities in order. I owe all of my achievements to you Maria and Terry Murphy! Daniel Murphy December 2013
Murdoch University 2013 Improved Gas Plant Safeguarding System
5
TABLE OF CONTENTS
1 STANDARD ABBREVIATIONS ............................................................................................ 10
2 INTRODUCTION ............................................................................................................... 11
2.1 ROLE OF INTERN, DANIEL MURPHY ...................................................................................... 12
2.2 OBJECTIVES ........................................................................................................................... 13
2.3 BACKGROUND ....................................................................................................................... 13
2.4 SCOPE .................................................................................................................................... 14
2.5 DELIVERABLES ....................................................................................................................... 15
3 PROJECT MANAGEMENT ................................................................................................. 16
3.1 RISK MANAGEMENT .............................................................................................................. 16
3.1.1 PROJECT EXECUTION RISKS ........................................................................................... 16
3.1.2 PROJECT DELIVERY RISKS .............................................................................................. 16
3.1.3 LEASONS LEARNED ........................................................................................................ 17
3.2 COMMUNICATION ................................................................................................................ 17
3.2.1 COMMUNICATION PLAN ............................................................................................... 17
3.3 TÜV RHEINLAND FUNCTIONAL SAFETY ................................................................................. 18
3.4 TIME MANAGEMENT ............................................................................................................ 18
3.5 DOCUMENTS AND PROCEDURES .......................................................................................... 19
3.5.1 DYNAMIC ASSET DOCUMENTATION ............................................................................. 19
3.5.2 CAUSE AND EFFECTS CHARTS ....................................................................................... 19
3.5.3 CHECKING PROCEDURE ................................................................................................. 20
3.6 CHANGE MANAGEMENT ....................................................................................................... 20
4 TRICON INSTRUMENT PROTECTIVE SYSTEM .................................................................... 22
4.1 OVERVIEW ............................................................................................................................. 22
4.2 CONTROLLER FEATURES........................................................................................................ 22
4.3 TRICON CONTROLLER CHASSIS ............................................................................................. 23
4.4 TRICON CONTROLLER NETWORK .......................................................................................... 24
4.5 THEORY OF OPERATION ........................................................................................................ 25
4.6 FAULT TOLERANCE ................................................................................................................ 25
4.7 TRISTATION SOFTWARE ........................................................................................................ 26
5 HONEYWELL DISTRIBUTED CONTROL SYSTEM ................................................................. 27
5.1 OVERVIEW ............................................................................................................................. 27
Murdoch University 2013 Improved Gas Plant Safeguarding System
6
5.2 SOFTWARE ............................................................................................................................ 27
5.3 DCS POINT PARAMETER CONFIGURATION ........................................................................... 28
5.3.1 DESCRIPTION PARAMETER ............................................................................................ 29
5.3.2 ALARM PRIORITY PARAMETER ...................................................................................... 30
5.3.3 ASSOCIATED DISPLAY PARAMETER ............................................................................... 30
5.3.4 PRIMARY MODULAR IDENTIFIER POINTS ...................................................................... 31
5.3.5 SLOT NUMBER POINT PARAMETER .............................................................................. 32
5.3.6 Tricon Alias Point Parameter ........................................................................................ 33
5.3.7 PROGRESS ..................................................................................................................... 33
5.3.8 PROBLEMS AND SOLUTIONS ......................................................................................... 34
5.4 HUMAN MACHINE INTERFACE GRAPHICS BUILDING ........................................................... 35
5.4.1 OVERVIEW ..................................................................................................................... 35
5.4.2 SUB PICTURE CONFIGURATION .................................................................................... 36
5.4.3 PROGRESS ..................................................................................................................... 38
5.4.4 PROBLEMS AND SOLUTIONS ......................................................................................... 38
6 I&E SYSTEMS FACTORY ACCEPTANCE TESTING ................................................................ 39
6.1 OVERVIEW ............................................................................................................................. 39
6.2 SYSTEM DESIGN .................................................................................................................... 39
6.3 LOCAL CONTROL NETWORK SYSTEM ARCHITECTURE .......................................................... 40
6.4 SOFTWARE CONFIGURATION ............................................................................................... 42
6.5 SYSTEM BACKUPS .................................................................................................................. 45
7 WESTERN CONTROLS FACTORY ACCEPTANCE TESTING .................................................... 48
7.1 TRICON INSTRUMENT PROTECTIVE SYSTEM NETWORK ....................................................... 48
7.2 FACTORY ACCEPTANCE TESTING SETUP ............................................................................... 49
7.3 SIMULATED INPUTS AND OUTPUT DEVICES ......................................................................... 50
7.4 TRICON CHASSIS CABINETS ................................................................................................... 53
7.5 METHOD ................................................................................................................................ 56
7.6 FAT CASE STUDY ‐ CORRECTING STAGING LOG ITEMS ......................................................... 57
7.6.1 TRICON DIAGNOSTIC ALARM SUMMARY PAGE ............................................................ 57
7.6.2 TRICON TUV DIAGNOSTIC POINT REPAIRING ............................................................... 58
7.6.3 HONEYWELL NATIVE WINDOWS ENGINEERING MAIN MENU ..................................... 58
7.6.4 HONEYWELL NATIVE WINDOWS COMMAND DISPLAY ................................................. 59
7.6.5 XLP1TUV DCS POINT PARAMETER RECONSTITUTE COMMAND ................................... 60
Murdoch University 2013 Improved Gas Plant Safeguarding System
7
7.6.6 TRISTATION POINT FORCING AND TESTING ................................................................. 62
7.7 PROGRESS ............................................................................................................................. 64
8 CONCLUSION ................................................................................................................... 65
9 FUTURE WORK ................................................................................................................ 66
10 BILIOGRAPHY .................................................................................................................. 67
11 APPENDIX A – PROJECT GANT CHART .............................................................................. 68
12 APPENDIX B – TYPICAL OVERALL CONTROL SYSTEM UPGRADE HARDWARE NETWORK ... 69
Murdoch University 2013 Improved Gas Plant Safeguarding System
8
TABLE OF FIGURES Figure 1 Tricon instrument protective system and Honeywell distributed control system overview . 12
Figure 2 Honeywell and Tricon hardware scope [2] ............................................................................. 14
Figure 3 Tricon chassis and module example [1] .................................................................................. 23
Figure 4 Tricon typical instrument protective system overview [9] ..................................................... 24
Figure 5 Tricon controller triple modular redundant architecture [9] ................................................. 25
Figure 6 Tristation programming language options [9] ........................................................................ 26
Figure 7 Honeywell distributed control system point’s database system overview ............................ 29
Figure 8 Maintenance override switch Honeywell graphical alarm summary overview ...................... 31
Figure 9 Honeywell Native Windows points slot address allocation .................................................... 32
Figure 10 Honeywell graphical user station sub picture graphics configuration.................................. 36
Figure 11 Sub picture parameter configuration example ..................................................................... 37
Figure 12 I&E Systems CBD Tricon and Honeywell software installation and configuration booth ..... 40
Figure 13 I&E Systems software testing Tricon and Honeywell local control network ........................ 41
Figure 14 Tristation software chassis slot allocation ............................................................................ 42
Figure 15 Tristation to Tricon controller communication configuration .............................................. 43
Figure 16 Honeywell Native Windows Unix backup file commands .................................................... 45
Figure 17 Honeywell distributed control system points check‐pointing .............................................. 46
Figure 18 Honeywell distributed control system safety manager module points and personality
imaging .................................................................................................................................................. 47
Figure 19 Western Controls factory acceptance testing hardware setup ............................................ 49
Figure 20 Western Controls factory acceptance testing simulated input and output devices ............ 50
Figure 21 Western Controls factory acceptance testing input and output device wiring marshalling
terminals ............................................................................................................................................... 51
Figure 22 Western Controls factory acceptance testing Tricon external terminal panel integration .. 52
Figure 23 IPS2 gas plant loading and unloading process controlling Tricon chassis ............................ 53
Figure 24 Tricon IPS2 main chassis ....................................................................................................... 54
Figure 25 Safety system upgrade project Tricon and Honeywell hardware overview ......................... 55
Figure 26 Honeywell Native Windows plant operators Tricon diagnostics alarm summary graphic ... 57
Figure 27 Honeywell Native Windows points configuration engineering main menu ......................... 58
Figure 28 Honeywell Native Windows command display points configuration menu ......................... 59
Figure 29 Honeywell Native Windows XLP1TUV point interrogation page 1 ....................................... 60
Figure 30 Honeywell Native Windows XLP1TUV point interrogation page 3 ....................................... 60
Figure 31 Honeywell Native Windows XLP1TUV point interrogation page 5 ....................................... 61
Figure 32 Tristation functional block logic XLP1TUV variable forcing .................................................. 62
Figure 33 Native Windows XLP1TUV point detail graphic .................................................................... 63
Murdoch University 2013 Improved Gas Plant Safeguarding System
9
LIST OF TABLES
Table 1 Standard abbreviations used within this document ................................................................ 10
Table 2 Safety system upgrade project deliverables list [2] ................................................................. 15
Table 3 I&E Systems document checking procedure ............................................................................ 20
Table 4 Cause and effects chart change management procedure example [3] ................................... 21
Table 5 DCS point types, parameters and application examples ......................................................... 28
Table 6 Distributed control system point alarm priorities and colour language .................................. 30
Table 7 DCS points configuration main project tasks and progress ..................................................... 33
Table 8 Alarm sub picture parameter configuration example .............................................................. 37
Table 9 Honeywell human machine interface graphics building project progress ............................... 38
Table 10 Tricon instrument protective system hardware bill of materials for the upgrade project .... 48
Table 11 Factory acceptance testing major tasks and project progress ............................................... 64
Murdoch University 2013 Improved Gas Plant Safeguarding System
10
1 STANDARD ABBREVIATIONS
Table 1 Standard abbreviations used within this document
AOA Alarm Objective Analysis
BOG Boil Off Gas
CCR Central Control Room
DAD Dynamic Asset Documentation
DCS Distributed Control System
ESD Emergency Shut‐down
ETP External Terminal Panel
FAR Field Auxiliary Room
FAT Factory Acceptance Testing
FSC Failsafe Controller
GUS Graphical User Station
HG Hiway Gateway
HM History Module
HMI Human Machine Interface
HWY Honeywell Data Hiway
IPS Instrument Protective Systems
I/O Inputs and Outputs
LCN Local Control Network
LED Light Emitting Diode
LNG Liquified Natural Gas
LPG Liquified Petroleum Gas
MOS Maintenance Over‐ride Switch
MP Tricon Main Processor
NIM Network Interface Module
PLC Programmable Logic Controller
SAT Site Acceptance Testing
SM Safety Manager
SMM Safety Manager Module
TCM Tricon Communications Module
TMR Triple Modular Redundant
TPN Total Plant Network
UCN Universal Control Network
WA Western Australia
Murdoch University 2013 Improved Gas Plant Safeguarding System
11
2 INTRODUCTION
Reliability and safety are critically important to one of the world’s biggest and most advanced gas
production plants, in Western Australia. To ensure the plant’s optimal performance for many years
to come, a new instrument protective system has been installed throughout the facility to deliver a
significant technological advancement. The plant is a major supplier to energy hungry Australian and
international markets, but its previous protective system had become obsolete, presenting a serious
risk to production. [2]
Development of the replacement was undertaken in 2013 by I&E Systems Pty Ltd (IES), a Perth
based company which is a leader in instrument, electrical and safety system engineering design,
configuration and commissioning. I&E Systems previously upgraded the safety system associated
with 20 units in the plant and this project completes the plant‐wide Tricon safety system [2] upgrade
in the remaining 2 units. Two new Tricon instrument protective systems were installed for process
safeguarding and control functions, and for fire and gas detection and protection, and are consistent
with the systems in other areas of the plant. [6]
Murdoch University 2013 Improved Gas Plant Safeguarding System
12
2.1 ROLE OF INTERN, DANIEL MURPHY
Daniel Murphy was recruited to the protection system replacement project under an internship in
order to complete his final year thesis. He was double majoring in industrial computer systems
engineering and instrumentation and control systems engineering at Murdoch University and this
project completed his Electrical Engineering Bachelor degree. He worked full‐time at I&E Systems’
Perth CBD office from 8th July 2013 until 18th October 2013 among a team of senior control systems
engineers.
The project involved configuring Honeywell Distributed Control Systems (DCS) points database,
which linked process plant operating and alarms graphics to safety system processing computers and
field input and output devices. The Honeywell TDC 3000 Human Machine Interface (HMI) graphics
and sub‐pictures were built and configured to display operating conditions and alarms in the plant. A
typical instrument protective system and the scope of the intern is summarised below in Figure 1
Tricon instrument protective system and Honeywell distributed control system overview.
Figure 1 Tricon instrument protective system and Honeywell distributed control system overview
After the aforementioned tasks were complete, work proceeded in factory acceptance testing the
new Honeywell and Triconex instrument protective system hardware and software. This was to
ensure that the distributed control system point’s database and the human machine interface
graphics were configured correctly and all the new equipment was in working order before being
installed on site.
Murdoch University 2013 Improved Gas Plant Safeguarding System
13
2.2 OBJECTIVES
The project replaced existing Honeywell failsafe controller equipment with a new Tricon instrument
protective system to achieve the same safety level generally accepted by the client for its installed
instrument protective system. The scope of this upgrade project mainly included the LPG storage
and loading facility and completed the plant‐wide Tricon safety system upgrade at the plant. The
existing logic was largely retained, except as required for alignment to standard functionality and
implementation of agreed improvements (moving compressor controls and maintenance over‐ride
switches from the field to the distributed control system). The project delivered limited change to
the day‐to‐day operation of the existing plant, although the system replacement represented
significant technical change. The success of the project was highly dependent on a close working
relationship between the project team and the key stakeholders. [2]
2.3 BACKGROUND
An upgrade project began to replace the existing safety systems with more advanced Tricon
controllers to achieve plant‐wide consistency since at the time they were the leaders in fault
tolerant industrial computer systems. In 2012 the remaining controller to be replaced was a
Honeywell failsafe controller. [2]
The Honeywell failsafe controller (FSC) equipment at the plant was non‐standard [2] and customised
to meet the original project specification. This intensified the limited parts availability issue and
made it difficult to implement required changes. Also, technical knowledge of these customisations
had diminished over time, further limiting Honeywell’s ability to support the ageing equipment.
Additional support issues such as parts manufacture being on demand only and unresolved reliability
issues were apparent, so the client approved the FSC upgrade project in 2012, to be completed in
2014. The plant incorporates a total of 30 instrument protective systems and a distributed control
system encompassing 12 universal control networks and 5 local control networks. [2]
Murdoch University 2013 Improved Gas Plant Safeguarding System
14
2.4 SCOPE
In outline the project scope included:
1. Installation of two latest‐version Tricon systems which implement the functional safety requirement of the client. [2]
2. Migration of the existing field inputs and outputs from the old failsafe controller systems to the new Tricon systems while the related processes remained in operation. [2]
3. Decommissioning of the boil‐off gas and refrigerant compressor package field control panels and hard‐wired maintenance over‐ride switches and re‐implementing them via the distributed control system human machine interface. [2]
The two new Tricon instrument protective systems (IPS) were called IPS1 and IPS2. IPS1 was to be
connected to the Honeywell universal control network (UCN) 2 which handles fire and gas safety
functions and is also connected to the total plant network (TPN) 1, from which the fire and gas
graphical user station was connected. IPS2 was to be connected to UCN 8 which handles
fractionation and LPG loading functions and is also connected to TPN 3, from which the graphical
user station is connected. Refer to figure 2 and Appendix B for illustrations of typical IPS/DCS
networks. [2]
Figure 2 Honeywell and Tricon hardware scope [2]
Murdoch University 2013 Improved Gas Plant Safeguarding System
15
2.5 DELIVERABLES
As I&E Systems has been involved with similar projects working with the client over the past two
decades, both parties know how each other work, and together they are a very efficient team. The
contractor has extensive experience working with the client so the quality and content of the
deliverables are well established. Some of the typical deliverables for a safety system upgrade
project are listed below in table 2. [2]
Table 2 Safety system upgrade project deliverables list [2]
The items that the intern was involved with in the safety system upgrade project were the control
system specification, network maximum loading calculations, fire and gas cause and effect charts,
instrumentation maintenance procedures, Honeywell software configuration, and Honeywell/Tricon
factory acceptance testing. I&E Systems had the advantage of being able to refer to complete sets of
delivered documents from similar past projects, which was very beneficial since the client promoted
a philosophy of consistency of hardware, software and practices across the plant.
Murdoch University 2013 Improved Gas Plant Safeguarding System
16
3 PROJECT MANAGEMENT I&E Systems established a project team with a dedicated Project Engineer to provide management
services, complete detailed engineering for the provision, installation and tie‐in of the new systems
and perform factory acceptance testing for the new systems. I&E Systems coordinated all
engineering activities and provided all technical instructions for third‐parties, and completed all
required close‐out activities. [2]
3.1 RISK MANAGEMENT
A number of risks were identified in the scoping phase of the project and captured by the client. I&E
Systems conducted a risk identification review during the front end design phase, which involved the
client’s instrument and systems personnel and considered risks based on experience with other
projects. A further risk review workshop was held during the develop phase with the client’s
stakeholders including project engineers, project operations coordinators, instrument and systems
engineers, process engineers, and the construction personnel. [2]
3.1.1 PROJECT EXECUTION RISKS
Errors in design or execution could have led to a latent fault in the instrument protective system,
subsequently causing failure on demand. Developing and working to a functional safety
management plan in accordance with AS/IEC 61508 [4] was a key preventative control.
A migration strategy was developed by I&E Systems to describe the structured transfer of inputs and
outputs from the failsafe controller to the replacement instrument protective system. The objective
of the strategy was to minimise the shutdown of the affected process equipment while addressing
the constraints posed by the logic structure, input/output allocation and physical space. Risk
assessments are required to reduce the risk of protective functions being compromised during
project implementation. [2]
3.1.2 PROJECT DELIVERY RISKS
The project assumed the availability of a focal point from plant operations to assist with the
refinement of the migration strategy, the development of the migration work‐packs, to assist with
preparation of permits, and to provide input into the revised distributed control system graphics and
training materials. Non‐availability of such a resource would have inhibited the project’s ability to
meet its schedule and could have compromised the effectiveness of technical deliverables. The
project assumed the timely review and approval of engineering deliverables. This had a direct impact
on project schedule. [2]
If there was a critical failure of the failsafe controller during the project requiring rectification or
complete urgent replacement, then the assurance checks such as factory acceptance testing and site
acceptance testing could have been compromised. The effect of this may have been a latent fault. To
mitigate this, the client considered the procurement of critical parts with Honeywell as part of their
responsibility to maintain the existing system. Limited spare parts were available and the client
considered failure of the Honeywell failsafe controller in their disaster recovery plans. [2]
Murdoch University 2013 Improved Gas Plant Safeguarding System
17
Executing the project based on flawed or incomplete technical information would have created a risk
of compromising required protective functions, leading to failure on demand, and delays or inability
to deliver the project. To mitigate this risk, existing design documents were reviewed and reconciled
during the develop phase. [2]
3.1.3 LEASONS LEARNED
Several events which have previously caused project delays were closely monitored during the life‐
cycle of the project to mitigate the risk of delay. These were:
1. Site permits can delay progress from an operational point of view.
2. Tracking issues of equipment and missing material on‐site have historically led to project delays. There is a certain level of risk accepted by relying on site workers, managers and couriers.
3. The procurement was outsourced as it was inefficient for I&E Systems to provide these services in‐house. There is a certain level of acceptable risk caused by events such as:
a. Incorrect versions of software or hardware being delivered
b. Waiting for deliverables due to scope misunderstandings
c. Specified equipment at risk of being unavailable
Therefore consultants and contractors experienced with similar projects and procedures were a vital element to mitigate risk of project delays.
3.2 COMMUNICATION
The success of the project was highly dependent on effective and efficient communication between
the project team and the key stakeholders. The I&E Systems project manager was responsible for
keeping the schedule updated. Monthly reporting covered costs, progress achieved, progress
planned, scheduled performance against milestones, proposed final cost, risk management and
outstanding queries. Vendor and progress meetings took place monthly or as required.
3.2.1 COMMUNICATION PLAN The communication plan was a live document which defined all communication activities so they could be managed along with other project activities in a structured way. The plan had the following objectives: [2]
1. To ensure that all relevant stakeholders were kept fully informed of project objectives and
progress, had regular opportunity to provide feedback, had any concerns addressed
promptly, and could coordinate their respective efforts to achieve optimal project
outcomes. For example, I&E Systems performed fortnightly visits to Western Controls to
check progress and solve concerns related to the manufacture of numerous control cabinets
and wiring of internal control equipment. [2]
2. To ensure that all commercial and technical issues were well documented and had clear
outcomes, had assigned follow‐up actions so that outcomes were applied appropriately, and
were agreed by people with the appropriate authority. [2]
3. To ensure the project got the full support from those affected by it so the project achieved
smooth transitions, minimum of operational impacts or delays, and full buy‐in to the new
equipment and functionality. [2]
Murdoch University 2013 Improved Gas Plant Safeguarding System
18
3.3 TÜV RHEINLAND FUNCTIONAL SAFETY
Functional Safety is concerned with project risk mitigation techniques and auditing, and quality
assurance in terms of hardware certification of Safety Integrity Level (SIL) [4] and Safety
Instrumentation Sytems (SIS) [4]. TÜV Rheinland provided technical assurance, reliability and quality
control services for the gas plant safety system upgrade project [5]. TÜV Rheinland audited the
entire project from hardware to testing procedures and documentation to ensure procedures,
documentation and deliverables conformed to applicable standards. [2]
Functional safety standards could be applied to all areas of the project that were worked on. The ISO
13849‐1 [5] standard governs safe functioning of machinery and devices, and was applied to the
Tricon hardware and the field input and output devices. the EN 62061 [5] and EN 61058 [5]
standards focus on electronic functions and software and this standard was applied to the Tricon
and Honeywell software such as Tristation, GUS, and Native Windows. Safety functions are assessed
using the ISO 13849‐1 or EN 62061 and these standards mainly related to the factory acceptance
testing phase of the project. [4]
TÜV has certified that the Tricon controller is in full compliance with the standards listed below, and is qualified for use in the following applications: [4]
1. Emergency safety shutdown or other critical control applications requiring SIL 1‐3
certification per the functional safety requirements of IEC 61508
2. Fire and gas detection applications requiring certification per the requirements of EN 54
3. All applications requiring compliance with the Low Voltage Equipment Directive No.
72/23/EEC [4]
3.4 TIME MANAGEMENT
The project leader updated and controlled a Gantt chart (named after Henry Gantt) for the entire
project. This document was at a much higher level than the personal Gantt chart and described
overall project goals rather than detailed individual tasks. This document was accessible to all team
members and informed the group of overall task, progress, delays and any deadline changes. Team
members could view which engineers were assigned to each task, allowing them to communicate
effectively and work together to achieve a common goal. Project resources were managed with the
use of this universal Gantt chart and critical tasks were identified and made priority to reduce delays
and prevent deadline overrun.
A universal spreadsheet was used to track unresolved items in the distributed control system
upgrade project. All team members at I&E Systems involved with the points database recorded any
discrepancies, queries and changes in the Microsoft Excel universal spreadsheet via the designated
document controller. Items could be viewed and resolved by any team member. This introduced
efficiency and clarity to the project. When an item was closed out the engineer completed the
comments cell which allowed the project manager to verify that a satisfactory resolution was
achieved. The close out comments introduced consistency to the project as solutions and actions
could be applied to unresolved items, reducing the potential for creating discrepancies in future.
Murdoch University 2013 Improved Gas Plant Safeguarding System
19
When an engineer began working on a group of unresolved items in the universal spreadsheet a
group email was sent to the team to prevent several people unknowingly investigating the same
items. Once the engineer completed a group of unresolved items the close out information was
emailed to the document controller who updated the universal spreadsheet and emailed the
updated spreadsheet revision to all team members. Daily group emailing was therefore an effective
and essential communication tool when several engineers are working together on a project.
A personal Gantt chart was used to list and tick off project tasks while working on the safety system
upgrade project. Depending on the information available, action items were entered with a
granularity of 1 to 14 days. This was an effective tool for time management as an item could be left
until sufficient information was available to complete the task. Project advancement was recorded in
this Gantt chart and it was possible to gauge if progress was tracking to plan and pay particular
attention to critical items to ensure delays were not introduced.
A diary was used on a daily basis to record and track progress, queries, unresolved items, task
resolution comments, procedures and general notes. This proved to be an extremely valuable
practice when working on multiple tasks within a team. The diary also served as a central source of
information to update the personal Gantt chart and email the document controller on a regular
basis.
3.5 DOCUMENTS AND PROCEDURES
3.5.1 DYNAMIC ASSET DOCUMENTATION
Dynamic Asset Documentation (DAD) is a system information model that describes connected
systems, power, control, IT and communications in a single digital representation. The model is
made up of connected components and stores all information required to construct and maintain
systems. [7]
This software package centrally housed and controlled all documents related to the upgrade project
such as specifications, procedures, databases, photographs, reports and vendor data sheets. All
control systems engineers at I&E Systems utilised this software to ensure consistency, efficiency and
quality control during the span of the project.
3.5.2 CAUSE AND EFFECTS CHARTS
Cause and effects charts were the central documents that mapped out the complete scope of the
project from a systems engineering point of view. They were initially created and provided by the
clients process engineers, then updated and managed by I&E Systems control systems engineers. All
of the DCS points and their interrelations were documented in these charts and they were used by
the intern throughout the project, from configuring DCS point parameters, to building HMI graphics
and configuring sub‐pictures, and during the factory acceptance testing phase of the project. [3]
Murdoch University 2013 Improved Gas Plant Safeguarding System
20
3.5.3 CHECKING PROCEDURE The image below shows the colour convention used at I&E Systems for checking documents before they were approved and submitted. It was a standard procedure that someone must check all documents and mark up any errors or discrepancies using a red pen. The document owner then updated the document and marked the corrections using a yellow highlighter once complete. The checker then inspected the document to ensure all red pen mark ups had been highlighted in yellow and repeated the process if errors were found. Any further updates were highlighted in blue and once complete, the checker finally used a green highlighter to show that the checking process was complete. This is shown in Table 3 I&E Systems document checking procedure Table 3 I&E Systems document checking procedure
This checking procedure was an effective method to eliminate human error and ensure all
documents delivered to the client or used for information during the project were correct and
consistent. For such a complicated technical project a thorough checking procedure increased the
efficiency and quality of the work produced, while a lot was learned checking other engineers’
documents based on other areas of the project.
3.6 CHANGE MANAGEMENT
It was evident that the key to successfully implementing a large scale safety system upgrade working
with a team of engineers, clients and contractors was to plan, organise, manage, communicate and
record all changes that were made throughout the project. From start to finish changes were made
to the cause and effects charts and the DCS specification at the client’s request which affected the
DCS point’s parameter configuration, the layout of the HMI graphics and the DCS points referenced
within the sub‐pictures, along with factory acceptance test procedures. Thus, it was extremely
important that changes were highlighted and noted within these documents so that their effects
could be efficiently dealt with. The document controller played a very important role in capturing
and recording these changes and notifying all parties involved.
Murdoch University 2013 Improved Gas Plant Safeguarding System
21
Table 4 below shows an example of a typical change management tab which accompanied every
Microsoft Excel cause and effect chart working copy. As shown, each update or correction was
captured by the cause or effect tag, date, change description, change source, engineer modified by,
engineer checked by, and comments. The change management tab of every cause and effect chart
was updated regularly when spelling mistakes or discrepancies were discovered. It also helped to
determine exactly what DCS database points were affected by changes to these central design
documents. [3]
Table 4 Cause and effects chart change management procedure example [3]
Murdoch University 2013 Improved Gas Plant Safeguarding System
22
4 TRICON INSTRUMENT PROTECTIVE SYSTEM
4.1 OVERVIEW
A Tricon Instrument Protective System (IPS) is a network of industrial computers [9], manufactured
by Invensys which can be implemented to control the process functions and automated safety
monitoring and shut down systems of major oil and gas processing facilities. A Tricon IPS is typically
installed in complex process applications where the risk of equipment failure is very high and the
effect could be catastrophic. The failsafe controllers are set up and configured similar to standard
programmable logic controllers, except for the allowance of hardware redundancy [10], sensing
device voting [11], and the ability to schedule a safe and orderly shutdown in the event of critical
hardware failures or risky occurrences being detected such as a fire or major loss of product
containment. [11]
Tricon instrument protective system upgrade projects have continued to be approved at the plant
as, at the time of the first Tricon installation, they were considered the most reliable and effective
failsafe controllers available. The recent loading and offloading facility safety system upgrade project
also involved the implementation of a Tricon IPS as the hardware and software has proved to be
reliable and well suited to the application. It also continued with the goal of achieving consistency at
the plant, limit the chance of operational and maintenance related faults and to reduce the
complexity of the spare parts inventory. [2]
4.2 CONTROLLER FEATURES
The Tricon controller is a state of the art programmable logic controller that provides a high level of system fault tolerance. To maximise system integrity, Tricon includes features such as: [9][10]
1. Triple Modular Redundant (TMR) architecture whereby each of three identical system channels independently executes the control program.
2. The ability to withstand harsh industrial environments. 3. Enabling field installation and repair to be done at the module level while the controller
remains online. 4. Providing support for remote modules as far away as 12 kilometres from the main chassis. 5. Providing online diagnostics with adaptive repair capabilities. 6. Supports up to 118 I/O modules (analog and digital) and communication modules that
interface with Modbus masters and slaves. 7. Allowing maintenance while the Tricon controller is operating, without disturbing the
controlled process. [9][10]
Murdoch University 2013 Improved Gas Plant Safeguarding System
23
4.3 TRICON CONTROLLER CHASSIS
A basic Tricon controller consists of three main processors, two power supplies, I/O modules, communication modules, the chassis enclosing the modules, field wiring connections, and a Tristation PC. Each module has a protective cover that ensures no components or circuits are exposed even when a module is removed from the chassis. An example of a Tricon chassis complete with power supplies, main processors and input/output modules is shown in figure 3 below. [9][10]
Figure 3 Tricon chassis and module
Murdoch University 2013 Improved Gas Plant Safeguarding System
24
4.4 TRICON CONTROLLER NETWORK
A Tricon controller instrument protective system network can include a maximum of 15 chassis, housing any appropriate combination of input, output, communication, and interface modules. There are 3 types of chassis described in table 10: Main, Expansion, and RXM [10]. An example of a Tricon chassis network is illustrated in Figure 4 Tricon typical instrument protective system overview
Figure 4 Tricon typical instrument protective system overview
Murdoch University 2013 Improved Gas Plant Safeguarding System
25
4.5 THEORY OF OPERATION
A Triple Modular Redundant (TMR) architecture ensures fault tolerance and provides error‐free, uninterrupted control in the presence of either hard failures of components or transient faults from internal or external sources. Every I/O module houses the circuitry for three independent channels. Each channel on the input modules reads the process data and passes that information to its respective main processor. The three main processors communicate with each other using a proprietary high speed bus system called the TriBus. An illustration of a typical Tricon controller triple modular redundant system architecture is shown in figure 5 below. [9][10]
Figure 5 Tricon controller triple modular redundant architecture
4.6 FAULT TOLERANCE
Fault tolerance is the ability to detect error conditions and to take appropriate corrective action online leading to increases in safety and availability of the controller and the process being controlled. Using the TMR architecture, if a hardware failure occurs in one module, the faulty module is overridden by the redundant pair. Repairs consist of removing and replacing the failed module while the Tricon controller is online and without process interruption. The controller then reconfigures itself to full TMR operation. [9][10] Extensive diagnostics on each channel, module and functional circuit immediately detect and report operational faults by means of indicators or alarms. The diagnostics also store information about faults in system variables. If faults are detected, the operator can use the diagnostic information to modify control actions or direct maintenance procedures. [9][10]
Murdoch University 2013 Improved Gas Plant Safeguarding System
26
4.7 TRISTATION SOFTWARE
The Tristation console loads and configures the PLC logic and Tricon points. Tristation software is required to develop and download the control program that runs on the Tricon controller. Tristation provides three programming languages which comply with the IEC 61131‐3 standard: Function block diagram, ladder diagram and structured text. An optional language, cause and effect matrix, can be purchased separately. The Tristation control logic programming language options are shown in figure 6 below. [9][11]
Figure 6 Tristation programming language options [9]
The Tricon logic coders at I&E Systems implemented the Functional Block language using Tristation software for all code related to the Tricon safety system upgrade project. This was selected due to consistency with previous projects in the gas plant and the fact that it is a very efficient, effective language that is well suited to this large scale application with many repetitive code functions. This project did not involve Tricon coding, however Tristation software was used regularly while establishing communications between the Tristation console and the Tricon communications module, and for testing alarms while repairing DCS configuration faults during factory acceptance testing.
Murdoch University 2013 Improved Gas Plant Safeguarding System
27
5 HONEYWELL DISTRIBUTED CONTROL SYSTEM
5.1 OVERVIEW
A distributed control system (DCS) is a network which supports the instrument protective system
(IPS) and allows process variables and alarms to be viewed and operated. The IPS is essentially a
node on the DCS network, along with a human machine interface (HMI) console and a history
module.
The recent plant‐wide upgrade called for the Honeywell failsafe controller to be replaced with
Triconex proprietary hardware and software, while retaining the existing Honeywell distributed
control systems and human machine interfaces. This occurred for many reasons such as reliability,
cost, time constraints, but mainly because of the massive risk to production and safety that
implementing a new operating system would introduce.
Tricon can be implemented seamlessly while on‐line with very minimal changes to the everyday
operation of the plant. However an entirely different HMI would require all of the operators,
engineers and maintenance crew to learn how to operate and navigate through a completely new,
largely complex process plant control structure. The risk of errors caused by new alarm display and
resolution methods, different alarm colour scheme language and even just being able to visualise
normal operating conditions is far too high to accept for such a large producing plant with potential
for catastrophic effects of failure.
The retained Honeywell proprietary products consisted of the TDC 3000 distributed control system
and HMI hardware, along with graphical user station and native windows software. The Honeywell
TDC 3000 HMI is used to display and control process variables and alarms within the plant. This is
Honeywell’s second distributed control system model, superseding the TDC 2000 variant, and
preceding the current Experion package. All work building and updating graphics in this project was
for use with Honeywell TDC 3000 hardware and software. [8][12]
5.2 SOFTWARE
The Unisim station software loaded and configured the Network Interface Module (NIM) simulator,
History Module (HM) and NIM nodes onto the Local Control Network (LCN) and the Universal
Control Network (UCN). The NIM simulator was used to replicate points and controllers existing in
the gas plant so that devices on the LCN and UCN could be tested in a simulated environment. This
was only necessary during the factory acceptance testing phase of the project as NIM simulations
are made redundant by existing controllers and I/O devices in the plant networks. No work was
contributed to setting up and configuring the Unisim station as part of the internship project, since
this was performed by Honeywell Engineers. [8][13]
Graphical User Station (GUS) was the Honeywell software package used to create and modify
process and safety related graphics in the upgrade project. It also facilitated the Human Machine
Interface (HMI) to display and control the entire process plant. This software was used extensively
during graphics building and sub‐picture configuring phases of the project, and later during the
factory acceptance testing phase for exporting validated graphics files into databases to amend
errors discovered during software functionality testing. [8]
Murdoch University 2013 Improved Gas Plant Safeguarding System
28
Honeywell Native Windows Software was used to load and configure the TPN1 and TPN3 DCS points
onto the Tricon Safety Manager Modules (SMM). This software was used during factory acceptance
testing to amend TPN1 alarms which were not working correctly due to incorrect parameter
configuration. [8]
5.3 DCS POINT PARAMETER CONFIGURATION
The first task that was worked on during the internship was configuring the Distributed Control
System (DCS) point’s database. This task was focussed on during the first 5 weeks of the project and
was revisited towards the end of the contract while repairing faults discovered during safety system
testing.
DCS points link process variables to the DCS control strategy. There is a one to one relationship
between I/O points and field devices. Points not used for I/O are called control points and these are
used to communicate values to the Tricon instrument protective system. Input points may be
referenced by any number of control points. Each DCS point contains a certain number of
parameters. The type and number of each point’s parameters depends on the type and function of
the point. [8]
The gas plant Tricon instrument protective system upgrade required 1679 DCS points to be
configured using a Microsoft Access database. 1015 existing points required updated parameters
from the existing Honeywell Hiway standard to the new Honeywell Network Interface Module (NIM)
standard. 664 new NIM points were built and configured. A list of the DCS upgrade point types,
descriptions and numbers of parameters requiring configuring is shown in Table 5 DCS point types,
parameters and application examples.
Table 5 DCS point types, parameters and application examples
Murdoch University 2013 Improved Gas Plant Safeguarding System
29
There were four types of inputs and zero outputs incorporated into the DCS design as it was
predominantly used as the Honeywell HMI plant wide control and display mechanism. Thus, there
were many Tricon tags associated with analog and digital controller outputs which were unused by
the Honeywell DCS and HMI. All DCS database input point types were associated with the Tricon
Input modules and devices. The digital composite point type was used to send commands from the
DCS back to the Tricon IPS and was independent of field input devices. This is illustrated in Figure 7
Honeywell distributed control system point’s database system overview.
Figure 7 Honeywell distributed control system point’s database system overview
The selection between an Analog Input NUMERNIM point and a more complex ANINNIM point does
not depend on the type of field sensor, rather the complexity of the control strategy that the point
relates to. By selecting an Analog or Digital Input DCS point type with an available number of
parameters close to the number of parameters that the control strategy requires, the processing
requirement of the Safety Manager Module (SMM) and the Network Interface Module (NIM) is
significantly reduced.
The first revision of the DCS points list was derived from the cause and effects charts, provided by
the client. The DCS points were configured by I&E Systems using in‐house experience and expertise,
referring to the DCS design specification, the cause and effects charts, and the as‐built Tricon
databases from recent gas plant upgrade projects. All aforementioned technical documents,
specifications, and databases were first reviewed and approved by the client before they were
referenced.
5.3.1 DESCRIPTION PARAMETER
Every distributed control system point required a point description parameter (PTDESC) to be
configured that provided information related to the points purpose and role within the safety
system control scheme. This point parameter was limited to 24 characters and was an abbreviated
description taken from the cause and effects charts. Even though there were 1679 points, each with
unique roles in the distributed control system, point descriptions were grouped and standardised
according to cause and effects chart grouping and description, and also aligned with as built point
descriptions from a similar upgrade in train 5 and the DCS specification. As part of this project the
point description parameters were configured, checked by I&E Systems engineers and approved by
the client. [8]
Murdoch University 2013 Improved Gas Plant Safeguarding System
30
5.3.2 ALARM PRIORITY PARAMETER
Every digital point was assigned an alarm priority according to its role in the control scheme and the
risk associated with the alarms event occurring. The Honeywell distributed control system was
configured to allow 4 priority levels; emergency, high, low and journal. Alarm priorities were
selected according to the as‐built points database alarm priorities from a similar as‐built database.
This was possible as the two projects were uniformly designed and shared common alarm types. The
as‐built alarm priorities were then cross‐checked with groupings and priorities defined by the cause
and effect charts and the DCS specification. The alarm priorities were then checked by I&E Systems
senior engineers, reviewed by the client and updated if required. [8]
Each alarm priority was configured to be displayed in the DCS with a certain colour related to each
alarm’s urgency and risk. For example, high and emergency alarms were configured to be displayed
using red text on the operator graphics. Low and journal priority alarms were represented using
yellow text, and healthy alarms or conditions were displayed using green text. This is summarised in
the Table 6 Distributed control system point alarm priorities and colour language
Table 6 Distributed control system point alarm priorities and colour language
5.3.3 ASSOCIATED DISPLAY PARAMETER
Every DCS point required an ASSOCDSP (Associated Display) parameter to be configured. The
ASSOCDSP parameter linked the point to the primary graphic on which it appeared. When an alarm
occurs, an alarm summary appears on the operators HMI faceplate. The operator then selects the
alarm and is taken to its primary graphic, which it is linked to through the use of the points
ASSOCDSP parameter. [8]
Any point may be referenced by several sub pictures on several graphics and the ASSOCDSP
parameter stated the most relevant and critical graphic related to the function or purpose of that
DCS Point. For example, if the DCS point “35TZ128” appears on a process graphic, a process
overview graphic and a shutdown graphic, the points ASSOCDSP parameter would be configured to
the shutdown graphic name (LPGSD8) as this was the most detailed and helpful page that the
operator could be directed to in the event of a temperature trip alarm. [8]
Murdoch University 2013 Improved Gas Plant Safeguarding System
31
The ASSOCDSP point parameter was one of the last DCS point parameters that could be configured.
This was because it would be very tedious, time consuming and prone to error to manually go
through each graphic and list all of the points referenced within all sub pictures and dynamic texts. A
much more efficient, systematic, and accurate method for configuring the ASSOCDSP point
parameter was used which required that all graphics were validated.
Validating a set of DCS graphics converted the entire contents into a text based “EB” format. This
was achieved using Honeywell GUS Tools software. The EB file contained all of the information
relevant to static and dynamic text, sub‐picture parameters and dynamic text script. The EB file
listed all of the DCS graphics and the points contained within them.
An I&E Systems in‐house program was used to convert the EB file into a Microsoft Access database.
A query was then performed in conjunction with the relevant points database to populate the
ASSOCDSP column by inserting the applicable graphic title in every occurrence of a tag match
between the two databases.
5.3.4 PRIMARY MODULAR IDENTIFIER POINTS
A Primary Modular Identifier or PRIMMOD was an alarm group that was both a DCS point itself, and
a parameter of most points which required configuring. The PRIMMOD point behaved like a switch
that is activated when a point goes into an alarm state. It does not cause an alarm itself but alerts
the operator that something at a lower level is in an alarm state. For example, if an operator is
looking at a high level overview page on the HMI and an alarm occurs at a lower level, the PRIMMOD
point is activated and an alarm is flagged on the graphic that the operator is viewing. The operator
can then go to the alarm console page, select the activated alarm and is then directed to the lower
level page (due to the linked ASSOCDSP parameter), such as LPGMOS1 where the operator can view
the exact point that is in alarm and has access to corrective action options. This is illustrated by the
Figure 8 Maintenance override switch Honeywell graphical alarm summary overview [8]
Figure 8 Maintenance override switch Honeywell graphical alarm summary overview
Murdoch University 2013 Improved Gas Plant Safeguarding System
32
The PRIMMOD point collects alarm related details from all of the points configured to reference that
PRIMMOD point within the graphic. A PRIMMOD was created for each graphic and named after that
graphic. All points on that graphic were assigned the corresponding PRIMMOD in order to collect
that alarm state of all data points on the graphic. The intern created and configured 6 LPG
maintenance over‐ride, and 13 LPG shutdown FLAGNIM PRIMMOD points so that the lower level
alarms could be signalled on the high level LPG maintenance over‐ride switch and shut‐down
overview graphics. [8]
5.3.5 SLOT NUMBER POINT PARAMETER
Each DCS point was assigned a slot number (SLOTNUM) which linked the point to a memory location
on its Tricon Safety Manager Module (SMM) node. Slot numbers were configured to have set ranges
for each data point type and a unique slot number within each category. They were different to a
PLC address (Tricon alias), which were related to Tricon logic coding functions and Tricon main
processor memory locations. Figure 9 below shows the number of input and output point slots
configured on the SMM node within TPN3 using Honeywell Native Windows software. [8]
Figure 9 Honeywell Native Windows points slot address allocation
All 1679 DCS points required a SLOTNUM parameter to be configured. For example, digital input
points or DINNIM’s required the SLOTNUM parameter to be configured with the next available
integer between 0 and 700.
Murdoch University 2013 Improved Gas Plant Safeguarding System
33
5.3.6 Tricon Alias Point Parameter
A Tricon Alias Number (PLCADDR) was a parameter that required configuring for each point that
linked DCS points to Tricon tags and memory locations. This was essentially how field input and
output device signals were transferred from the Tricon IPS to the DCS graphics. The PLC address
parameter required configuring for all 664 digital input points and was done by referencing the
addresses provided by the Tricon logic coding engineers in the Tricon Global Variable (TRGLBVAR)
database.
The problem with configuring this parameter was that the TRGLBVAR database was not available
until the Tricon logic coders had completely finished programming the Tricon, which occurred 3
weeks after the DCS database was configured. This was resolved by populating the Tricon alias
number parameters with the temporary address “0.0000” so that the point’s database could be
loaded onto the Tricon chassis safety manager module and the addresses updated using Native
Windows software once the Tricon global variable database was available.
5.3.7 PROGRESS
A complete list of the DCS configuration tasks that were worked on is outlined within the Gantt chart
in Appendix A. As can be seen in table 7 below, the first 6 tasks were successfully completed on time.
The remaining two underwent 13 and 20 day delays before they could commence due to waiting for
the completion of preceding tasks and a delayed alarm objective analysis meeting. Eventually they
were completed within the expected task durations.
Table 7 DCS points configuration main project tasks and progress
Murdoch University 2013 Improved Gas Plant Safeguarding System
34
5.3.8 PROBLEMS AND SOLUTIONS
Some of the problems and solutions which arose while completing the listed DCS configuration tasks
are shown below:
1. After a significant number of “PTDESC” parameters had been configured and standardised it was discovered, while looking at the TPN5 as‐built points database parameters, that this description parameter required a maximum number of 24 characters. This was resolved by listing all of the point’s descriptions which exceeded 24 characters and devising a list of standard abbreviations to implement across the group of points.
2. Only one engineer could update the Microsoft Access DCS point’s database at any time. Several team members were involved in building and updating this spreadsheet which led to several hours in delays while waiting for it to become available. Additional planning and communication was required to resolve this issue and it was decided that the higher priority task would be assigned precedence.
3. Waiting for the Tricon coders to finish before the Tricon Alias (PLC address) list became available was another problem that required solving. The PLC address parameters needed to be entered into the DCS point’s database for it to be loaded on the Tricon safety manager module and this event was scheduled before the Tricon coders had completing the logic. This problem was solved by entering temporary addresses so that work setting up the DCS point’s database was not delayed.
4. Cause and effects chart revisions significantly affected the DCS points database configuration tasks as they were the central source of technical information specific to the project. As a result of late revision update changes were made to existing point descriptions and several new first out points were added to the project scope. To solve this problem the new and the previous cause and effects chart revisions were compared and all changes affecting the DCS point’s configuration were highlighted. Thirty six new points were added to the points database using Native Windows software, and 6 were deleted due to changes in the cause and effects charts. 45 points description parameters also required updating to be aligned with the changes requested by the client.
5. Honeywell network interface module loading calculations were estimated long before the total number of HMI graphics and DCS points were known. Honeywell NIM hardware processing power was then sized accordingly. These calculations were performed after the graphics and points database were complete to check that the NIM loading of all devices on the UCN and LCN had not been exceeded.
Murdoch University 2013 Improved Gas Plant Safeguarding System
35
5.4 HUMAN MACHINE INTERFACE GRAPHICS BUILDING
5.4.1 OVERVIEW
Each graphic was built up using static text and sub‐pictures that do not change, and dynamic text
and sub‐pictures configured to link one or more DCS points to signal plant alarm conditions. Dynamic
sub‐pictures could be either configured using Visual Basic script or by including relevant DCS point
tags within the sub‐pictures attributes. The latter method is shown in figure 11 below.
The Honeywell DCS upgrade project scope involved 55 human machine interface (HMI) graphical
pages. Twenty five pages required modifying to be integrated with the new NIM points, 23 new
graphical pages were also built, 2 pages were superseded and 5 pages were not changed. There
were 6 maintenance over‐ride pages, 18 shutdown pages, 6 boil off gas and refrigerant pages, 6
compressor pages, and 12 LPG overall process graphical pages completed within the project.
The complete list of new and modified graphics was provided by the client. All sub‐pictures were
pre‐approved by the client before use on any graphics. Once the HMI graphical pages were modified
or built they were sent to the client for checking and approval. Once this process was complete, the
sub‐picture’s parameters were configured.
The HMI sub‐pictures were configured by referring to the DCS design specification, the cause and
effects charts, and the as‐built Honeywell graphics from recent gas plant upgrade projects. The
graphics and sub‐pictures then required checking by I&E Systems senior engineers to ensure they
conformed to the client’s standards and to mitigate the risk of configuration errors. Internal pre‐FAT
was next performed to discover and fix any errors before the client assisted with factory acceptance
testing hosted by Western Controls.
Murdoch University 2013 Improved Gas Plant Safeguarding System
36
5.4.2 SUB PICTURE CONFIGURATION
Figure 10 below represents page 2 out of 13 Honeywell DCS shut down graphical pages that were
developed. The layout of the page and its contents was directly related to the cause and effect
charts. Sub‐pictures were grouped by causes, effects, trip groups (UZ103 and 104 in this example)
and first out type alarms. This information was derived directly from the cause and effects charts.
Figure 10 Honeywell graphical user station sub picture graphics configuration
Whether the entire graphical pages were new or modified, changes were made according to
information provided by the cause and effects charts and by referring to the most recent as built
graphics from the previous gas plant safety system upgrade project. Sub‐pictures were selected from
an approved list and arranged according to information provided on the cause and effects charts.
The completed graphics were sent to the client for checking and mark‐ups and the graphics building
process was repeated until the client approved the layout of the graphics and sub‐pictures.
Murdoch University 2013 Improved Gas Plant Safeguarding System
37
Once the layout of the graphics and arrangement of approved sub‐pictures was complete, each sub‐
picture was configured by referring to the cause and effects charts, the DCS point’s database and the
TPN5 set of as‐built graphics. Each sub‐picture had between 1 and 9 parameters to be configured,
depending on the type and function of the sub‐picture. Figure 12 below shows the first of 9
parameters that required configuring for one of the low pressure alarm sub‐pictures in pressure
vessel from the figure 11 shutdown graphics page.
Figure 11 Sub picture parameter configuration example
Table 8 below shows the name of each of the 9 parameters that required configuring for the
aforementioned 35PZ105 low pressure alarm sub‐picture.
Table 8 Alarm sub picture parameter configuration example
Murdoch University 2013 Improved Gas Plant Safeguarding System
38
5.4.3 PROGRESS
A complete list of the HMI graphics building tasks worked on within the project are outlined by the
Gantt chart in Appendix A. As can be seen in table 9 below, all 7 major tasks were successfully
completed on time with no delays affecting the scheduling of factory acceptance testing.
Table 9 Honeywell human machine interface graphics building project progress
5.4.4 PROBLEMS AND SOLUTIONS
Some of the problems and solutions that arose while completing the listed HMI graphics building
tasks are discussed below:
1. On several instances, sub‐pictures were required that either needed greater or fewer
parameters, or a different length alarm text. These sub‐pictures had to be created and
approved for use by the client.
2. Every trip alarm group should always exist in both a MOS and a shutdown graphic. Three
alarm trip groups were found to be missing from the shutdown graphics. The senior
engineer was notified and it was decided that space was to be found on an existing graphic
to display all of the sub‐pictures required for those groups.
3. While configuring the first out dynamic sub‐pictures, it was discovered that there were
several sets of first out DCS points, one for each cause and effect trip group that they were
associated with. For example, 35P105F1, 35P105F2, 35P105F3, rather than the typical
35P105F. To determine which point was applicable to each trip group, the cause and effects
charts were referenced.
4. Several first out points could not be found on the printed set of cause and effect (C&E)
charts. It was discovered that the missing points had been picked up in a recent client C&E
chart review and an updated revision of these documents was available.
5. As a result of an alarm objective analysis meeting with the client, many sub‐picture alarm
display texts had changed. This resulted in a different alarm sub‐picture being required and
all related sub‐pictures required updating. This caused approximately 8 additional hours to
be spent replacing the out‐dated sub‐pictures.
6. Honeywell graphical user station (GUS) Tools software was only compatible with out‐dated
Windows NT operating systems, which no workstations in the office supported. An
appropriate computer was set up to run this software and was available by remote desktop
log in.
Murdoch University 2013 Improved Gas Plant Safeguarding System
39
6 I&E SYSTEMS FACTORY ACCEPTANCE TESTING
6.1 OVERVIEW
Factory Acceptance Testing (FAT) is a major phase in an oil & gas process plant upgrade project
whereby hardware and software is locally set up and tested to ensure it meets the design
specification and conforms to the necessary engineering standards. This is an efficient, cost effective
approach which reduces the risk of errors and failures during site acceptance testing and project
commissioning phases.
FAT took place in‐part at the IES Perth CBD office and at the Western Control’s (WC) factory. All
software was installed along with the DSC points and graphics loaded at the I&E Systems office. All
new Tricon equipment and associated hardware was setup in Kewdale where the new software and
hardware was implemented and tested. Assistance was provided with both of these project phases,
mainly focusing on DCS points database related setup and configuring.
A simplified testing station in the I&E Systems office was required to load the safety system software
while the technicians were constructing the factory acceptance testing system at the Western
Controls building. This meant that the software was made accessible, therefore several engineers
could get an early start at software loading and configuring while waiting for the entire FAT system
to be constructed, without intermittently travelling from the city to Kewdale. From experience with
previous projects this method was found to be very efficient as it saved travelling time, led to less
time being required at Western Controls and made it easier for multiple engineers to coordinate
working on the same software for different task throughout the day.
6.2 SYSTEM DESIGN
The first problem to be solved before FAT at the I&E Systems office could commence was
determining the minimum amount of hardware that was required to install, configure and test the
system from the Tricon controller to the Honeywell DCS. The overall system architecture design had
been completed by I&E Systems engineers and equipment procured for fully assembled Western
Controls factory acceptance testing. This included several racks of physical input switches, dials and
LED output indicators, cabinets full of I/O marshalling terminals, two complete Honeywell DCS
processing chassis, two Tristation computers, two Honeywell HMI computers with four monitors,
cabinets containing 11 Tricon chassis, 22 power modules and 63 assorted I/O and communications
Tricon modules. However, the much smaller I&E Systems test equipment list had not yet been
designed.
After researching the complete Western Controls factory acceptance testing equipment list and
discussing the subject with several engineers at I&E Systems experienced with factory acceptance
testing similar projects, a minimalistic software testing system was designed. It was discovered that
only one of the Honeywell processing chassis was required to setup the Honeywell universal control
network and local control network for TPN1 and TPN3.
Murdoch University 2013 Improved Gas Plant Safeguarding System
40
Both of the Honeywell HMI computers were necessary for TPN1 and TPN3, although each desktop
computer only required one monitor to load and configure the DCS points and the HMI graphics. As
this software testing process did not require simulated input and output devices, none of the
physical switches, dials, LED indicators or marshalling terminal racks were found to be necessary for
the early software configuring “pre‐FAT” project phase held in the I&E Systems Perth CBD office.
It was determined that only one Tricon chassis was required for the pre‐FAT phase, containing one
power module, one main processor module, one module to communicate with a Tristation
computer (TCM) and one module to communicate with the Honeywell protocol universal control
network (SMM). No redundant power supply or communication modules, or field input and output
modules were found to be required as they were not necessary for loading and configuring the
Honeywell and Tristation software. Instead of requiring one Tristation computer for each instrument
protective system, it was discovered that only one computer was sufficient for the purpose of
configuring the Tricon controller and loading the IPS1 and IPS2 Tricon tags and control logic.
6.3 LOCAL CONTROL NETWORK SYSTEM ARCHITECTURE
The setup minimalistic pre‐FAT hardware is shown by Figure 12 I&E Systems CBD Tricon and
Honeywell software installation and configuration booth.
Figure 12 I&E Systems CBD Tricon and Honeywell software installation and configuration booth
The Tricon Chassis houses the power module, communications, I/O, and SMM cards, along with the
three main processing cards required for the triple modular redundant safety system programmable
logic controller. The Tristation console loads and configures the Tricon functional block logic and
Tricon points onto the Main Processor (MP) cards, via the Tricon Communications Module (TCM).
The Unisim Station loads and configures the NIM simulated devices and the GUS console loads and
configures the History Module (HM) and NIM nodes on the Honeywell Local Control Network (LCN).
Murdoch University 2013 Improved Gas Plant Safeguarding System
41
An annotated image of the main Tricon and Honeywell hardware components setup in the I&E
Systems office for pre‐FAT is shown below in Figure 13 I&E Systems software testing Tricon and
Honeywell local control network. The blue Ethernet cable connects the Tristation Console to the
TCM card using a Modbus over TCP communications protocol. [9]
Figure 13 I&E Systems software testing Tricon and Honeywell local control network
The SMM card, furthest to the right in the Tricon chassis, communicates with the Tricon Main
Processor via the back plate terminals using a Triconex proprietary protocol “Tribus”. The SMM card
connects the Universal Control Network (UCN) to the NIM cards with a coaxial cable using a
Honeywell proprietary communications protocol. The NIM cards are then connected to the LCN,
along with the NIMSIM, the History Modules and the EST’s. The UNISIM station was then connected
to the NIMSIM via an Ethernet hub.
Murdoch University 2013 Improved Gas Plant Safeguarding System
42
6.4 SOFTWARE CONFIGURATION
Once the Tricon and Honeywell hardware was setup in the I&E Systems testing cubicle the
Honeywell Native Windows, Graphical User Station and Unisim software was installed and
configured by a Honeywell engineer. A Tricon coding engineer from I&E Systems installed the
Tristation software which enclosed the completed safety system functional block program. It was
then the role of the intern to establish communications between the Tristation software and the
Tricon controller, and successfully download the Tricon logic and points database onto the Tricon
main processor.
The first step towards establishing Tristation to Tricon communications via the Tricon
Communications Module (TCM) was to discover how the Tricon coding engineers had setup the
hardware using the Tristation software, specifically which Tricon chassis slot the Tricon programmers
had configured the TCM to be installed in. This was achieved using the Tristation software to view
the Tricon hardware allocation configuration page. As shown in figure 14, the software was
configured based on the TCM cards being located in Tricon chassis slots 2L and 2R. One of the TCM
cards was then fitted into this slot and the second was not required until factory acceptance testing
at Western Controls as it was the redundant backup card.
Figure 14 Tristation software chassis slot allocation
Murdoch University 2013 Improved Gas Plant Safeguarding System
43
The blue Ethernet cable shown in figure 13 was then connected from the Tristation switch to the
Tricon communications card and the latest Instrument Protective System 1 (IPS1) Tricon code was
attempted to be downloaded onto the Tricon main processor module. This came back with a
communications error. After researching the Tricon configuration manual it was discovered that the
second step to achieve communications between the Tristation console and the Tricon controller
was to physically set the Tricon network node address to match the address selected by the Tricon
coders using the Tristation software. After discussing this with the Tricon coders at I&E Systems it
was found that they allocate the next free address on the entire instrument protective system
network on site at the gas plant and this needed to be set using a pair of dials on the front of the
Tricon main processor card in the Tricon chassis.
Figure 15 below shows a typical Tristation communication page, which stores the Tricon instrument
protective system node name, number and IP address. Using this information it could be gathered
that the IPS1 network node address needed to be set to 20 on the Tricon main processor module so
that the software could reach communications with the Tricon hardware. This was achieved by
turning the two Tricon main processor dials to 2 and 0 and then the logic download button was
selected in the Tristation software.
Figure 15 Tristation to Tricon controller communication configuration
Murdoch University 2013 Improved Gas Plant Safeguarding System
44
The second download attempt failed as communications were still not possible. The blue ethernet
cable was then swapped with another and the same result occurred. Upon closer inspection of the
Tricon main processor card it was noticed that the two network node dials indicated 0 to 9 and A to
F. It was decided to try the hexadecimal numeral system which is often used by represent computer
memory addresses as each hexadecimal digit represents half of a binary byte, or 8 bits. For example
0 to F in hexadecimal equates to 0 to 15 in decimal, and FF represents 255, or 1 byte in decimal.
It was then known that the network node addresses for Tricon IPS1 and IPS2 were 20 and 26
respectively. These two decimal numbers converted to 14 and 1A in the hexadecimal numeral
system. The dials on the main processor card were used to select 1 and 4 and another logic
download was attempted. This also failed.
The Tricon manual was researched and it was found that an in built failsafe function of the Tricon
controller was that changes such as the network node address are only binding once the power to
the main chassis has been cycled. This was to prevent tampering or vibration changing the address
and the safety system potentially failing (even‐though there are two redundant main processor
cards in the chassis waiting to take control). The power was switched off for several minutes and the
same communications error occurred once again after the power was restored.
A Tricon expert was then consulted in the office who revealed that there is a battery in the Tricon
chassis which needs to be removed in order for the power to be switched off, another built in
failsafe measure. The chassis power and the backup battery were then disconnected for half an hour
to ensure that all the charge within the controller had dissipated.
At this point the battery was re‐attached, restoring the power to the main chassis and allowed the
system to completely power up. Microsoft DOS was then used to ping the network IP address
provided by the Tristation communications panel. The ping statistics revealed that 4 packets were
sent and successfully received. The logic download was attempted one more time which finally lead
to successful communications between the Tristation software and Tricon Hardware. As a result, the
IPS1 Tricon code and points were successfully downloaded and saved onto the Tricon main
processor module as desired.
Murdoch University 2013 Improved Gas Plant Safeguarding System
45
6.5 SYSTEM BACKUPS
Working as a control systems engineer it is common and highly likely that during the course of a
project one or more computers will fail and lose all of their stored information. This was a major
cause of concern as the software testing hardware was transported from Perth CBD to Kewdale for
Western Controls factory acceptance testing. This is the reason that system backups are extremely
important in this industry, as they were during the safety system upgrade project.
While working on the Tricon controller project weekly backup copies of the latest DCS database and
HMI graphics were made to prevent loss of work. As the computers running Native Windows and
Tristation were not allowed to have network connections as mentioned previously, they did not
automatically backup their files onto the I&E Systems server like all other networked computers in
the office. This meant that it had to be done manually by saving the files onto a thumb drive and
then uploading them onto the DAD database.
Figure 16 below shows typical Unix style Honeywell commands required to take backup copies of the
configured DCS database using Native Windows software.
Figure 16 Honeywell Native Windows Unix backup file commands
Murdoch University 2013 Improved Gas Plant Safeguarding System
46
The same configuration backup check‐pointing can be performed by saving the node data as shown
in figure 17 below. The check‐pointing backup method saves an image of the DCS points and
configuration setup on the Tricon safety manager module node and is performed daily as it only
takes several minutes to complete the task. The downfall of this method is that the data is saved in a
raw format which only allows reloading of the file which prevents exporting the information so that
it can be viewed or modified in an Access or Excel database.
Figure 17 Honeywell distributed control system points check‐pointing
When the hardware was transported from I&E Systems to Western Controls and TPN3 was set up, it
was discovered that an error had occurred which set all of the PLC Addresses to 0. This was resolved
by loading the DCS points check point which was taken the day before.
Murdoch University 2013 Improved Gas Plant Safeguarding System
47
Another method of data backup is shown in Figure 18 Honeywell distributed control system safety
manager module points and personality imagingbelow. This technique takes a few hours to
complete, however the resulting EB file can be exported into a useable Microsoft Access database
for viewing and modifying data during the software configuration process. This method saves the
most recent “image” of DCS setup and points configuration that is stored on the Tricon/Honeywell
safety manager module within the Tricon main chassis.
Figure 18 Honeywell distributed control system safety manager module points and personality imaging
Murdoch University 2013 Improved Gas Plant Safeguarding System
48
7 WESTERN CONTROLS FACTORY ACCEPTANCE TESTING
7.1 TRICON INSTRUMENT PROTECTIVE SYSTEM NETWORK
Table 10 lists the Tricon chassis and modules implemented during the gas plant Instrument
Protective System (IPS) upgrade project for IPS1 and IPS2. This equipment was setup at the Western
Controls warehouse in Kewdale, in the same arrangement that will be eventually on site so that each
element could be tested according to very thorough Factory Acceptance Testing (FAT) work pack
procedures. Assistance was provided with the FAT hardware setup and software testing and
successfully completed the factory acceptance testing of IPS1 during the course of the 16 week
internship.
The testing was supervised in part by the client to ensure the hardware and software met the scope
of works and was fit for purpose. In summary there were a total of 11 Trion chassis, 63 processing,
communications and input/output modules and 22 power modules setup and tested.
Table 10 Tricon instrument protective system hardware bill of materials for the upgrade project
Murdoch University 2013 Improved Gas Plant Safeguarding System
49
7.2 FACTORY ACCEPTANCE TESTING SETUP
Figure 19 below shows the factory acceptance testing area setup at the Western Controls’ building in
Kewdale. The racks on the left third of the image contained on/off switches, potentiometers and
LEDs which simulated all of the existing sensors and indicators (physical inputs and outputs)
associated with the safety system upgrade at the plant. The wiring terminal racks in the centre of the
image were exact replicas of the existing marshalling cabinets in terms of dimensions and terminal
blocks. They were used to connect the test inputs and outputs to the Tricon programmable logic
controller network. The cabinets in the right third of the image contained all of the input and output
device related Tricon equipment.
Figure 19 Western Controls factory acceptance testing hardware setup
The two desktop computers in the centre of the image were used to run Tristation and Native
Windows software which display and control Tricon logic and Honeywell distributed control system
functions respectively. These stations could not have internet connectivity as security issues were
taken into consideration, so the laptop on the right was used to access internal IES network
documents and for emailing.
Murdoch University 2013 Improved Gas Plant Safeguarding System
50
7.3 SIMULATED INPUTS AND OUTPUT DEVICES
Figure 20 Western Controls factory acceptance testing simulated input and output devicesshows a
detailed view of 2 rack units worth of testing inputs and outputs. The LEDs in the upper rack
simulated Tricon digital outputs such as valve open and closed positions or compressor on or off
states. The potentiometers in the middle of the image were used to test analog inputs such as
pressure or temperature transmitters. The on and off switches in the lower half of the lower rack
were used to simulate Tricon digital inputs such as hand switches and limit switches.
Each input and output was labelled with its actual existing tag name and is grouped according to
physical device locations at the gas plant. The inputs states were manually cycled and the control
strategy tested using output LED indicators, online Tricon functional block logic actions, and
Honeywell human machine interface alarm summary pages.
Figure 20 Western Controls factory acceptance testing simulated input and output devices
Murdoch University 2013 Improved Gas Plant Safeguarding System
51
Figure 21 depicts the wiring terminal racks which were also utilised and tested during the factory
acceptance testing phase of the safety system upgrade project. First they were constructed and
wired by Western Control technicians, then subjected to a 160 hour full load test, and then used to
transfer signals between the testing inputs and output and the Tricon input and output modules, via
external terminal panels (ETP). By pre‐wiring and testing this electrical instrumentation equipment in
the exact arrangement existing at the plant, a level of safety and reliability was introduced. The
project efficiency was significantly increased as the future working hours on site and complexity of
the task reduced, lowering the chance of error, personal fatigue and overall project expense.
Figure 21 Western Controls factory acceptance testing input and output device wiring marshalling terminals
Murdoch University 2013 Improved Gas Plant Safeguarding System
52
Figure 22 shows the Tricon external terminal panels that integrated the marshalling terminal wiring
looms with the Tricon network. This equipment eliminated the need to individually connect wires to
the Tricon controller input and output modules, which eliminated human error and the chance of
poor wiring connections, while reducing installation complexity and time.
Figure 22 Western Controls factory acceptance testing Tricon external terminal panel integration
Murdoch University 2013 Improved Gas Plant Safeguarding System
53
7.4 TRICON CHASSIS CABINETS
The five Tricon chassis shown in figure 23 demonstrate the IPS2 input and output device control
system integration. The middle left chassis appeared distinctly different to the others in this figure
due to the six orange cables attached to the main processor cards. This was because it was an RXM
Tricon chassis which facilitated remote field input and outputs devices on the Tricon instrument
protective system two network. Each processor module is connected to a redundant pair of orange
fibre optic communications cables which ran from the IPS2 main chassis. The other four chassis in
this image housed the IPS2 analog and digital input and output modules, along with a few spare slots
per chassis to cater for future upgrades.
Figure 23 IPS2 gas plant loading and unloading process controlling Tricon chassis
Murdoch University 2013 Improved Gas Plant Safeguarding System
54
Figure 24 Tricon IPS2 main chassis shows the redundant pair of power supply modules mounted in
the two slots at the far left of the Tricon chassis. These were common to all Tricon chassis as a
failsafe precaution and are required for TUV certification. Three redundant main processor cards and
6 digital input cards were also shown installed in this Tricon chassis. The external terminal panel
connecting cables were located above the chassis cards and connected the field device inputs and
outputs to the Tricon network and effectively the input and output modules.
Figure 24 Tricon IPS2 main chassis
Murdoch University 2013 Improved Gas Plant Safeguarding System
55
The complete bill of materials listed in table 10 is illustrated in Figure 25 Safety system upgrade project Tricon and Honeywell hardware overview below. The image shows the two cabinets on the right which housed the distributed control system related Tricon equipment and the IPS1 and IPS2 main chassis. Four Tricon chassis contained communications modules, safety manager modules and main processor cards. The Honeywell network interface modules and history modules were located in the lower section of the image. The four grey cables connected to the upper right chassis represented two redundant pairs of universal control network (UCN) cables. They connected each Tricon main chassis as nodes on their associated Honeywell UCN via Tricon safety manager modules.
Figure 25 Safety system upgrade project Tricon and Honeywell hardware overview
Murdoch University 2013 Improved Gas Plant Safeguarding System
56
7.5 METHOD
Factory Acceptance Testing (FAT) was managed by I&E Systems and supervised in‐part by the client.
A client approved FAT procedure, called the staging master was strictly followed by I&E Systems
Tricon coding engineers who created a punch list log, or staging log as they discovered faults and
discrepancies. The alarms were tested using physical input and output simulated devices, such as
off/on switches, potentiometer dials and LED indicators. The Honeywell distributed control system
points and alarm functionality were also tested during staging by forcing the points in the Tricon
functional block logic using Tristation software.
The FAT log items which were thought to be related to Honeywell DCS point’s configuration errors
were corrected and cleared. The log items were repaired by comparing the Native Windows
parameters of the points loaded on the Tricon safety manager module with the configuration
stipulated by the DCS points database and the Tricon global variable database. This task was
performed for IPS1 (TPN1, fire and gas UCN2) and out of a total of 292 tests listed on the IPS1
staging master, 55 items were recorded on the FAT log.
All 55 IPS1 staging master items were found to be related to the DCS points configuration, with 32 of
the items being resolved by updating the points PLC address, or Tricon Alias from 00000 to that
stated in the Tricon global variable database provided by the Tricon coding engineers at I&E
Systems. A late change to the cause and effects chart alarm grouping, requested by the client,
resulted in a late change to the Tricon coding, and affected many of the Tricon tag addresses. This
meant that several groups of flagged DCS points were built and configured with an address of 00000
as they were unknown at the time and this was the most efficient solution to continue DCS database
progress and avoid delays.
Murdoch University 2013 Improved Gas Plant Safeguarding System
57
7.6 FAT CASE STUDY - CORRECTING STAGING LOG ITEMS
7.6.1 TRICON DIAGNOSTIC ALARM SUMMARY PAGE
An example of a set of Honeywell distributed control system points which were investigated during
factory acceptance testing is shown in Figure 26 Honeywell Native Windows plant operators Tricon
diagnostics alarm summary graphic. The image shows a Honeywell Native Windows screenshot of
the digital input points loaded onto one of the safety manager module Tricon cards in Total Plant
Network 1 (TPN1). These Tricon system diagnostics points alert the operator of Tricon hardware
related faults. During Factory Acceptance Testing (FAT) of Instrument Protective System (IPS) 1, one
of the tasks undertaken was to check the status of the IPS1 diagnostic points and repair them if
found to be faulty.
Figure 26 Honeywell Native Windows plant operators Tricon diagnostics alarm summary graphic
This task was recorded as one of the IPS1 FAT log items to be amended before IPS1 FAT could
conclude, as it was noted by the Tricon engineer that several diagnostic points were in a fault state.
As shown by the Native Windows diagnostic summary page below, the two diagnostic points
XLP101RF and XLP1TUV were showing faults that needed to be investigated and repaired. For the
purpose of describing the typical process followed to repair each staging log item, the point
XLP1TUV will be focussed on.
Murdoch University 2013 Improved Gas Plant Safeguarding System
58
7.6.2 TRICON TUV DIAGNOSTIC POINT REPAIRING
The point XLP1TUV exists as a TUV certification requirement that an alarm must be set if a Tricon
chassis does not have all three main processor modules in a healthy state. If this alarm is triggered it
is flagged in the diagnostic point summary page, as shown below and also in the Honeywell HMI
overall alarm summary page, which the operator is required to view on one of the control room
monitors. Another function of this alarm is triggering an instrument protective system orderly shut‐
down if one module is continuously unhealthy for 3000 hours, and also if two main processor
modules are in unhealthy states continuously for 150 hours.
7.6.3 HONEYWELL NATIVE WINDOWS ENGINEERING MAIN MENU
Figure 27 below depicts the Honeywell Native Windows software engineering main menu screen.
The headings shown in the screenshot all relate to loading and configuring the Honeywell control
networks, DCS points and HMI graphics. This page was effectively used as the Native Windows
“home page” during the FAT log DCS points repairing phase of the project. From the main menu the
next step of the point repairing process was to select the “builder commands” heading to navigate
to the “command display” menu.
Figure 27 Honeywell Native Windows points configuration engineering main menu
Murdoch University 2013 Improved Gas Plant Safeguarding System
59
7.6.4 HONEYWELL NATIVE WINDOWS COMMAND DISPLAY
The aforementioned command display page is shown here in Figure 28 Honeywell Native Windows
command display points configuration menu. This display was used by the intern to access the DCS
point parameter configuration pages. The DCS point name was entered into the Entity name cell and
then the Reconstitute command was selected to interrogate that point. In this example the point
XLP1TUV was investigated.
Figure 28 Honeywell Native Windows command display points configuration menu
Murdoch University 2013 Improved Gas Plant Safeguarding System
60
7.6.5 XLP1TUV DCS POINT PARAMETER RECONSTITUTE COMMAND
The previous “reconstitute” command returned the first parameter configuration page out of six for
the point XLP1TUV, as shown in figure 29 below. The parameter settings on each page were scanned
to check if there were any inconsistencies with the XLP1TUV parameter configuration in latest
version of the IPS1 DCS point’s database. In the point parameter configuration below no
discrepancies were noticed with the database.
Figure 29 Honeywell Native Windows XLP1TUV point interrogation page 1
On the third parameter configuration page for the point XLP1TUV it was discovered that the PLC
address had been set to 00000. It was known that this was the problem that triggered the fault
alarm on the diagnostic point summary page from previous experience configuring the DCS point’s
database and knowing that all digital points required a unique non‐zero PLC address, Tricon Alias.
The points address was then found in the DCS points database, next entered and saved, as shown in
Figure 30 Honeywell Native Windows XLP1TUV point interrogation page 3.
Figure 30 Honeywell Native Windows XLP1TUV point interrogation page 3
Murdoch University 2013 Improved Gas Plant Safeguarding System
61
After checking the successive XLP1TUV point configuration pages it was discovered on page five that
the alarm option for this point was set to “NONE” and the off normal alarm priority parameter set to
“NOACTION”. This indicated that the HMI will perform no action and record no alarm when the
Tricon controller trips this digital input point. To repair these errors these parameters were set to an
alarming option of “OFFNORML” and an off normal alarm priority of “LOW” to align the
configuration of the point XLP1TUV loaded onto the Tricon safety manager module with the
arrangement designated by the DCS points database. The repaired parameters are shown in figure
31 below. After an alarm meeting with the client this point was later uprated to an alarm priority of
“EMERGENCY” and this parameter, along with 10 others were also adjusted using the Native
Window point reconstitute function.
Figure 31 Honeywell Native Windows XLP1TUV point interrogation page 5
Murdoch University 2013 Improved Gas Plant Safeguarding System
62
7.6.6 TRISTATION POINT FORCING AND TESTING
To confirm that the point XLP1TUV had been repaired and was alarming correctly the diagnostic
summary page was checked again and the fault code had successfully been cleared. To check the
correct alarming option for the point the intern used Tristation software to force the digital bit on
and off (1 and 0) to test the response by the Honeywell HMI graphics. The Tristation functional block
program point testing is shown in Figure 32 Tristation functional block logic XLP1TUV variable
forcing.
Figure 32 Tristation functional block logic XLP1TUV variable forcing
Murdoch University 2013 Improved Gas Plant Safeguarding System
63
Figure 33 below shows the Honeywell Native Windows DCS alarm details page for the point
XLP1TUV. When the points Tricon tag was set to 1 or true, the linked point in the DCS displayed a
normal state as shown in Figure 33 Native Windows XLP1TUV point detail graphic. Alternatively,
when the Tricon tag was set to 0 or false the shutdown alarm was displayed. This confirmed that the
point was configured correctly and was then removed from the FAT log list.
Figure 33 Native Windows XLP1TUV point detail graphic
Murdoch University 2013 Improved Gas Plant Safeguarding System
64
7.7 PROGRESS
To enable this project Tricon and Honeywell related hardware and software were thoroughly
researched such as, Native Window, Graphical User Station, Tristation and Tricon chassis and
modules. This is shown in Table 11 Factory acceptance testing major tasks and project progress.
Honeywell engineers completed the setup of all pre‐FAT hardware in the I&E Systems office and the
installation of all Tricon and Honeywell software and loading of all DCS points and GUS graphics were
successfully completed. The equipment was then transferred to Western Controls in Kewdale and
integrated with the remaining Tricon chassis, modules and I/O testing apparatus.
The TPN1 and IPS1 DCS related FAT log (or staging list) items were successfully completed by
reconstituting each point, using Native Windows software and correcting parameter configuration.
Due to a late cause and effects chart revision, changes to Tricon code, DCS points configuration and
HMI sub‐picture configuration were required which led to a four week delay to the start of factory
acceptance testing. This provided the opportunity to update the aforementioned effects of the
cause and effects chart changes, although did not offer exposure to TPN3 factory acceptance testing.
Table 11 Factory acceptance testing major tasks and project progress
Murdoch University 2013 Improved Gas Plant Safeguarding System
65
8 CONCLUSION The internship with I&E Systems was a great experience, providing exposure to a real control system
engineering project. This allowed the development of both professional and personal skills, working
among a team of highly specialised and skilled senior control system engineering consultants. I&E
Systems was found to be an extremely professional and efficient engineering practice, with a safety
philosophy and record second to none.
The implementation of Dynamic Asset Documentation (DAD) provided an extremely useful,
organised and intuitive tool for retrieving and uploading all technical documents related to the gas
plant safeguarding system upgrade project and made it simple to work autonomously on a highly
technical project.
Working at I&E Systems provided realistic experience in the engineering industry such as time
management, team work, delays and scope changes. These skills can be transferrable to any
engineering discipline and are an important step towards becoming a professional engineer.
Sixteen weeks were completed with I&E Systems on the Tricon controller implementation and
Honeywell HMI upgrade project, between their Perth CBD office and Western Controls’ factory
acceptance testing facility in Kewdale. During the course of this term, 1679 DCS points, 48 HMI
graphics and corrected 55 DCS related IPS1 staging log items were successfully configured with
assistance from the team of senior control system engineers at I&E Systems.
Due to delays triggered mainly by late cause and effect chart changes and a delayed alarm objective
analysis meeting, Tricon instrument protective system 1 (IPS1) commenced factory acceptance
testing approximately one month later than had been planned. This allowed for development of a
deeper understanding of the DCS points configuration theory and software, and allowed completion
of factory acceptance testing of Tricon IPS1 and Honeywell TPN1. However, the delay didn’t allow
IPS2 FAT to commence until after the term of the internship contract.
Murdoch University 2013 Improved Gas Plant Safeguarding System
66
9 FUTURE WORK During factory acceptance testing it was not possible to network either of the two Honeywell
graphical user station consoles due to the potential of system damage from foreign destructive
programs and possible communication restrictions due to firewall settings. This meant it was not
possible to remotely log into these computers from the I&E Systems office. If this could be resolved
in future it would be of great benefit to factory acceptance phases of future projects, saving many
hours in travelling time and allowing factory acceptance testing to be a much more efficient project
stage.
To complete the project deliverables, there were outstanding tasks such as including process
engineering flow scheme references to 17 functional logic and 11 safety cause and effect charts,
creating 80 maintenance and alarm trip set point validation procedures, and creating “right click”
point’s databases for TPN1 and TPN3 graphics. There was also the major task of IPS2/TPN3 factory
acceptance testing, followed by IPS1 and IPS2 site acceptance testing and commissioning.
On conclusion of the internship placement, the intern has been awarded a full‐time position to stay
on at I&E Systems as a graduate control system engineer. This will enable completion of the
aforementioned outstanding tasks and was involved in Tricon IPS2 and Honeywell TPN3 factory
acceptance testing at Western Controls.
Murdoch University 2013 Improved Gas Plant Safeguarding System
67
10 BILIOGRAPHY [1] Triconex – Tricon Chassis and module image. Accessed 05/11/2013. http://www.controlglobal.com/assets/00_images/2013/Tricon‐Image.jpg
[2] Project 44137 – Tricon Safety System. Document Number: 8569‐0228, Revision: A. Retrieved July 2013.
[3] FSC Upgrade Cause and Effects (C&E) Charts – Process and Fire & Gas. Retrieved July 2013.
[4] TÜV RHEINLAND – Functional Safety. Accessed 06/08/2013. http://www.tuv.com/en/australia/home.jsp
[5] TÜV RHEINLAND – Key Business Areas and History. Accessed 06/08/2013. http://www.tuv.com/media/corporate/aboutus_5/pdf_1/Tuev_Rheinland_business_streams.pdf
[6] I&E Systems – About Us, Services and Functional Safety Engineering. Accessed 11/08/2013. http://www.iesystems.com.au/default.aspx
[7] DAD ‐ Dynamic Asset Documentation Version 10. Accessed 11/08/2013. http://www.dad.net.au/v10.0/Default.aspx
[8] Honeywell – Engineer’s Reference Manual. Accessed 05/08/2013. http://download.gongkong.com/file/2007/6/27/EngineersReferenceManual.pdf
[9] Triconex – Planning and Installation Guide: Version 10 systems. Accessed 08/10/2013. http://pbadupws.nrc.gov/docs/ML0932/ML093290420.pdf
[10] Invensys –Tricon Version 10 Product Specification. Accessed 11/09/2013. http://iom.invensys.com/EN/pdfLibrary/ProductSpec_Triconex_Tricon_03‐10.pdf
[11] Invensys –TriStation Version 4.9 Software Development and Datasheet. Accessed 11/09/2013. http://iom.invensys.com/EN/pdfLibrary/Datasheet_Triconex_Tristation1131v4‐9_01‐13.pdf
[12] Honeywell – TPN/TDC 3000 Controller. Accessed 11/09/2013. https://www.honeywellprocess.com/en‐US/explore/products/control‐monitoring‐and‐safety‐systems/integrated‐control‐and‐safety‐systems/honeywell‐upgrades/Pages/tdc‐3000.aspx
[13] Honeywell – Unisim Operations Suite Product Information Note. Accessed 05/08/2013. https://www.honeywellprocess.com/library/marketing/notes/pin‐unisim‐operations‐r400.pdf
Murdoch University 2013 Improved Gas Plant Safeguarding System
68
11 APPENDIX A – PROJECT GANT CHART
Murdoch University 2013 Improved Gas Plant Safeguarding System
69
12 APPENDIX B – TYPICAL OVERALL CONTROL SYSTEM UPGRADE HARDWARE NETWORK